CVE-2014-7810
Published: 7 June 2015
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
From the Ubuntu security team
It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism.
Priority
Medium
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.6)
|
|
| trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
| upstream |
Released
(6.0.41-3)
|
|
| utopic |
Ignored
(reached end-of-life)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Released
(6.0.45+dfsg-1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1645366 upstream: http://svn.apache.org/viewvc?view=revision&revision=1659538 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.61-1)
|
| bionic |
Not vulnerable
(7.0.61-1)
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.3)
|
|
| upstream |
Released
(7.0.61-1)
|
|
| utopic |
Released
(7.0.55-1ubuntu0.2)
|
|
| vivid |
Released
(7.0.56-2ubuntu0.1)
|
|
| wily |
Not vulnerable
(7.0.61-1)
|
|
| xenial |
Not vulnerable
(7.0.61-1)
|
|
| yakkety |
Not vulnerable
(7.0.61-1)
|
|
| zesty |
Not vulnerable
(7.0.61-1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1644019 upstream: http://svn.apache.org/viewvc?view=revision&revision=1645644 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.22-2)
|
| bionic |
Not vulnerable
(8.0.22-2)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.21-2)
|
|
| utopic |
Ignored
(reached end-of-life)
|
|
| vivid |
Released
(8.0.14-1+deb8u1build0.15.04.1)
|
|
| wily |
Not vulnerable
(8.0.22-2)
|
|
| xenial |
Not vulnerable
(8.0.22-2)
|
|
| yakkety |
Not vulnerable
(8.0.22-2)
|
|
| zesty |
Not vulnerable
(8.0.22-2)
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810
- http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
- https://ubuntu.com/security/notices/USN-2655-1
- https://ubuntu.com/security/notices/USN-2654-1
- NVD
- Launchpad
- Debian